Internet DRAFT - draft-kelly-capwap-lwapp-dtls
draft-kelly-capwap-lwapp-dtls
Network Working Group S. Kelly
Internet-Draft Talari Networks
Expires: June 15, 2006 E. Rescorla
Network Resonance
December 12, 2005
Securing LWAPP with DTLS
draft-kelly-capwap-lwapp-dtls-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 15, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
The LWAPP protocol defines interactions between wireless termination
points and wireless access controllers. Communications between these
components must be secured, and the current specification provides
for transport security using proprietary mechanisms which are
embedded in the protocol. This document describes an alternative
approach which eliminates the embedded security, and instead uses
DTLS as a secure, tightly-integrated wrapper.
Kelly & Rescorla Expires June 15, 2006 [Page 1]
Internet-Draft Securing LWAPP with DTLS December 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Inserting DTLS . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Control/Data Channel Considerations . . . . . . . . . . . 7
2.1.1. Separate Control/Data Channel Ports . . . . . . . . . 8
2.1.2. Adding a Protocol Mux . . . . . . . . . . . . . . . . 8
3. Endpoint Authentication using DTLS . . . . . . . . . . . . . . 8
3.1. Authenticating with Certificates . . . . . . . . . . . . . 9
3.2. Authenticating with Preshared Keys . . . . . . . . . . . . 9
4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . . . 14
Kelly & Rescorla Expires June 15, 2006 [Page 2]
Internet-Draft Securing LWAPP with DTLS December 2005
1. Introduction
The Light Weight Acess Point Protocol (LWAPP) provides for
centralized control and management of Wireless Termination Points
(WTPs) by devices referred to as Access Controllers (ACs). For more
detail on this protocol and/or these components, see [LWAPP]. The
CAPWAP working group is currently considering using LWAPP as the
basis for a standardized AC-WTP control protocol (recommended in
[CAPWAP-EVAL]).
LWAPP currently includes security elements which provide for the
following capabilities:
o Endpoint Authentication - AC and WTP are strongly authenticated
using either public key certificates or shared secrets (also known
as "pre-shared keys").
o Data Confidentiality - (AC-WTP control channel) data is encrypted
using the 128-bit AES-CBC algorithm.
o Data Integrity/Origin Authenticity - an Integrity Check Value
(ICV) is computed using 128-bit AES-CBC-MAC (a keyed MAC).
The current LWAPP security scheme has been through at least one
security review [LWAPP-SEC], the results of which were favorable.
Still, the protocol evaluation team concluded that LWAPP would
benefit from replacement of its proprietary security scheme with a
standardized, more widely deployed facility such as DTLS [DTLS].
Why replace LWAPP's security mechanism, when so far, security
evaluations have not found it wanting? There are at least two good
reasons:
o Industry experience/review - to the chagrin of many protocol
designers, it has been often demonstrated that subtle security
flaws may escape the most diligent reviewer. As a result, the
cryptographic community invests significant effort in the ongoing
analysis of deployed (and proposed) security mechanisms.
Sometimes problems are found very quickly, but in other cases
issues my not be discovered for years. Thus, security protocols
and mechanisms which have been extensively deployed and analyzed
are almost always preferable to those which have not.
o Algorithm Agility - Because most cryptographic algorithms are
eventually either broken outright or rendered computationally
insufficient by advancing technology, it is crucial to have the
ability to easily replace outdated or compromised algorithms.
Kelly & Rescorla Expires June 15, 2006 [Page 3]
Internet-Draft Securing LWAPP with DTLS December 2005
Note that LWAPP, while having gone through some security review, has
not yet provided the opportunity for the sort of extensive public
review and analysis that TLS [TLS11] has enjoyed. Also, LWAPP
provides no facility for algorithm negotiation - changing security
algorithms would require a change to the protocol standard, along
with firmware upgrades for both WTP and AC. This is clearly
undesirable.
DTLS, on the other hand, is a standards-track effort which is based
upon TLS. The underlying security-related protocol mechanisms have
been successfully deployed for many years now. The TLS protocol is
well-understood from an operational perspective, and with the recent
specification of its datagram-based variant, is an obvious choice for
meeting the security requirements of LWAPP.
2. Inserting DTLS
Note that for the time being, only the UDP transport mechanism for
LWAPP is considered. Since the evaluation document recommends
eliminating layer 2 encapsulation support, it is not addressed here.
Should this change, the mechanism described below in section 2.1.2
could be used to partially address that case.
From a high level, simple replacement of the LWAPP security
mechanisms with DTLS amounts to something like this:
1. Replace the JOIN phase with DTLS session establishment
2. Replace LWAPP re-key functionality with a DTLS re-key
3. Remove the existing LWAPP security scheme
This amounts to employing DTLS as a tightly-integrated secure
wrapper. Here is the resulting LWAPP state machine:
Kelly & Rescorla Expires June 15, 2006 [Page 4]
Internet-Draft Securing LWAPP with DTLS December 2005
/-------------\
| v
| +------------+
| C| Idle |<--------------------------------------+
| +------------+ |
| ^ |a ^ |
| | | \----\ y |
| | | | +-------------+------------+ z |
| | | | | | DTLS-rekey |-\ |
| | | | | +--------->+------------+ | |
| | | | | | | ^
| | | |t V | x | |
| | | +--------+--+ +------------+ | |
| / | C| Run |------>| DTLS-Reset |<+--|----\
| / | r+-----------+ u +------------+ | | |
| / | ^ ^ v| | | |
| | v | | | | | |
| | +--------------+ | /----/ V V | |
| | C| Discovery | q| o| +-------+ | |
| | b+--------------+ +-------------+ | Reset |-+ w |
| | |d f| ^ | Configure | +-------+ |
| | | | | +-------------+ |
| |e v | | ^ |
| +---------+ v |i 2| |
| C| Sulking | +------------+ +--------------+ |
| +---------+ C| DTLS-Init |--->| DTLS-Complete| |
| g+------------+ z +--------------+ |
| |h m| |4 |
| | | v o /
\ | | +------------+-------/
\-----------------/ \------------->| Image Data |C
+------------+n
Figure 1: LWAPP State Machine w/DTLS Support
Following is a description of the associated state changes. Note
that we only address those which are new:
Discovery to DTLS-Init (f): This state is used by the WTP to confirm
its commitment to an AC that it wishes to be provided service, and to
simultaneously establish a secure control channel.
WTP: The WTP selects the best AC based on the information it
gathered during the Discovery Phase. It then initiates a DTLS
connection with its preferred AC. The WTP starts the WaitJoin
Timer.
Kelly & Rescorla Expires June 15, 2006 [Page 5]
Internet-Draft Securing LWAPP with DTLS December 2005
AC: The AC enters this state for the given WTP upon reception of a
DTLS initialization request. The AC processes the request and
responds by engaging in DTLS negotiation with the WTP.
DTLS-Init to Discovery (i): This state is used to return the WTP to
discovery mode when an unresponsive AC is encountered.
WTP: The WTP enters this state when the WaitJoin timer expires
prior to successful completion of DTLS negotiation.
AC: This state transition is invalid.
DTLS-Init to DTLS-Complete (z): This state is used to indicate DTLS
session establishment.
WTP: This state is entered when the WTP and AC complete DTLS
negotiation.
AC: This state is entered when the WTP and AC complete DTLS
negotiation.
Run to DTLS-Reset (u): This state is used to when the AC or WTP wish
to tear down the connection.
WTP: The WTP enters this state when it wishes to initiate orderly
termination of the DTLS connection; the WTP sends the a TLS
Finished message.
AC: The AC enters this state upon receipt of TLS Finished message
from the WTP.
Image-data to DTLS-Reset (o): This state is used to reset the
connection prior to restarting the WTP after an image download.
WTP: The WTP enters this state when image download completes
AC: The AC enters this state upon receipt of TLS Finished message
from the WTP.
DTLS-Reset to Reset (v): This state is used to complete DTLS session
tear-down
WTP: The WTP enters this state when it has completed DTLS session
cleanup, and it is ready to finish LWAPP session clean-up.
Kelly & Rescorla Expires June 15, 2006 [Page 6]
Internet-Draft Securing LWAPP with DTLS December 2005
AC: The AC enters this state when it has completed DTLS session
cleanup, and it is ready to finish LWAPP session clean-up.
Run to DTLS-Rekey (x): This state is used to initiate a new DTLS
handshake. Either the WTP or AC may initiate the state transition.
It is important to note that this might more accurately be termed a
"meta-state", as the DTLS re-handshake is transparent to the LWAPP
protocol, and may even be interpersed with other LWAPP control
messages.
WTP: The WTP enters this state when either (1) a rekey is
required, or (2) the AC initiates a DTLS handshake.
AC: The AC enters this state when either (1) a rekey is required,
or (2) the WTP initiates a DTLS handshake.
DTLS-Rekey to Reset (z): This state is used to clean up when a DTLS
handshake fails.
WTP: The WTP enters this state when a DTLS handshake fails.
AC: The AC enters this state when a DTLS handshake fails.
2.1. Control/Data Channel Considerations
Note that while this scheme seems quite simple at first glance, there
is one complication. Currently, LWAPP only applies security to
control channel communications, and relies upon external facilities
for securing user data. In order to preserve this convention, we
must be able to distinguish between control and data packets,
forwarding only control packets to the DTLS engine.
This task is complicated by the fact that LWAPP currently
distinguishes between control and data traffic using the 'C' bit in
the LWAPP header. This is possible even on the encrypted control
channel because the LWAPP header is not encrypted - in the case of
the control channel, it is only authenticated:
+--------+---------+-----------+-------------------------+-----------+
| IP Hdr | UDP Hdr | LWAPP Hdr | Data | LWAPP Tlr |
+--------+---------+-----------+-------------------------+-----------+
\------ encrypted ------/
\-------- authenticated -----------/
Figure 2: Current LWAPP Packet Security
DTLS, on the other hand, provides for securing the entire channel.
If the LWAPP packets are encapsulated within DTLS, the LWAPP header
Kelly & Rescorla Expires June 15, 2006 [Page 7]
Internet-Draft Securing LWAPP with DTLS December 2005
will be encrypted:
+--------+---------+---------+-----------+-------------+----------+
| IP Hdr | UDP Hdr |DTLS Hdr | LWAPP Hdr | Data | DTLS Tlr |
+--------+---------+---------+-----------+-------------+----------+
\--------- authenticated ---------/
\------------ encrypted -----------/
Figure 3: LWAPP+DTLS Packet Security
A direct consequence of this is that with DTLS encapsulation, we
cannot distinguish between control traffic and data without first
decrypting the packet - this means we must establish separate
channels if we do not wish to encrypt data channel traffic. Two
methods for accomplishing this are discussed below.
2.1.1. Separate Control/Data Channel Ports
The simplest solution entails using separate ports for LWAPP control
and data traffic, with DTLS securing only the control channel. The
control traffic could continue to utilize the current well-known
LWAPP port. For the data channel, a new port could be assigned by
IANA, or it could instead be specified by the AC after the DTLS
session is established, providing some additional flexibility. Note
that this solution will not work for layer 2 LWAPP encapsulation.
However, if L2 support is to be removed from LWAPP, this point is
moot.
2.1.2. Adding a Protocol Mux
An alternative solution entails adding a protocol multiplexer module
between the packet input/output and the DTLS modules, and adding an
additional small associated LWAPP header between the UDP header and
the DTLS record layer header. While this LWAPP header need only
contain a single bit to differentiate between control/data traffic,
alignment concerns suggest the header would most likely be either 32
or 64 bits in length.
3. Endpoint Authentication using DTLS
Currently, LWAPP supports authentication using either public key
certificates or shared secrets (pre-shared keys). DTLS support
implies no changes in this regard. Certificate-based authentication
is natively supported, and support for preshared keys is currently
progressing toward standardization (see [TLS-PSK]). Below we
describe supported TLS algorithm suites for each endpoint
Kelly & Rescorla Expires June 15, 2006 [Page 8]
Internet-Draft Securing LWAPP with DTLS December 2005
authentication method.
3.1. Authenticating with Certificates
Note that only block ciphers are currently recommended for use with
DTLS. To understand the reasoning behind this, see [DTLS-DESIGN].
The following algorithms MUST be supported when using certificates
for LWAPP authentication:
o TLS_RSA_WITH_AES_128_CBC_SHA
o TLS_RSA_WITH_3DES_EDE_CBC_SHA
The following algorithms SHOULD be supported when using certificates:
o TLS_DH_RSA_WITH_AES_128_CBC_SHA
o TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
The following algorithms MAY be supported when using certificates:
o TLS_RSA_WITH_AES_256_CBC_SHA
o TLS_DH_RSA_WITH_AES_256_CBC_SHA
Certificates should be verified in the same manner as currently
specified in LWAPP.
3.2. Authenticating with Preshared Keys
Pre-shared keys present significant challenges from a security
perspective, and for that reason, their use is strongly discouraged.
However, [TLS-PSK] defines 3 different methods for authenticating
with preshared keys:
o PSK key exchange algorithm - simplest method, ciphersuites use
only symmetric key algorithms
o DHE_PSK key exchange algorithm - use a PSK to authenticate a
Diffie-Hellman exchange. These ciphersuites give some additional
protection against dictionary attacks and also provide Perfect
Forward Secrecy (PFS).
o RSA_PSK key exchange algorithm - use RSA and certificates to
authenticate the server, in addition to using a PSK. Not
susceptible to passive attacks.
The first approach (PSK) is susceptible to passive dictionary
Kelly & Rescorla Expires June 15, 2006 [Page 9]
Internet-Draft Securing LWAPP with DTLS December 2005
attacks; hence, that method MUST NOT be used. If support for pre-
shared keys is desired, then DHE_PSK MUST be supported, and RSA_PSK
MAY be supported.
The following cryptographic algorithms MUST be supported when using
preshared keys:
o TLS_PSK_WITH_AES_128_CBC_SHA
o TLS_PSK_WITH_3DES_EDE_CBC_SHA
The following algorithms SHOULD be supported when using preshared
keys:
o TLS_PSK_WITH_AES_256_CBC_SHA
The following algorithms MAY be supported when using preshared keys:
o TLS_RSA_PSK_WITH_AES_128_CBC_SHA
o TLS_RSA_PSK_WITH_AES_256_CBC_SHA
o TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
4. Conclusions
DTLS represents a strong replacement candidate for the existing LWAPP
security scheme. In addition to being a known quantity which has
received and will continue to receive a healthy dose of ongoing
analysis and review from the cryptographic community, it supports all
required LWAPP security functionality, and also provides for
algorithm agility should the need arise. Further, its negotiation
capability provides for a measure of implementation flexibility not
possible with the current LWAPP scheme.
While it is not a drop-in replacement, it requires a reasonably
bounded amount of change to the existing state machine and packet
formats. As noted, since DTLS does not provide for unequal
encryption vs authentication lengths within a packet, it requires
adding either a secondary data port or a short demux header.
5. Security Considerations
The security of LWAPP over DTLS is completely dependent on the
security of DTLS. Any flaws in DTLS compromise the security of
LWAPP. In particular, it is critical that the communicating parties
Kelly & Rescorla Expires June 15, 2006 [Page 10]
Internet-Draft Securing LWAPP with DTLS December 2005
verify their peer's credentials. In the case of pre-shared keys,
this happens automatically via the key. In the case of certificates,
the parties must check the peer's certificate. The appropriate
checks are described in the current LWAPP document
The use of parallel protected and unprotected channels deserves
special consideration, but does not create a threat. There are two
potential concerns: attempting to convert protected data into un-
protected data and attempting to convert un-protected data into
protected data. The use of the MAC makes it impossible for the
attacker to forge protected records. The attacker can easily remove
protected records from the stream (this is a consequence of
unreliability), though not undetectably so. If a non-encrypted
cipher suite is in use, the attacker can turn such a record into an
un-protected record. However, this attack is really no different
from simple injection into the unprotected stream.
6. IANA Considerations
Should a separate UDP port for data channel communications be the
selected demultiplexing mechanism, a port must be assigned for this
purpose. Should a demultiplexing header be used instead, there may
be additional IANA requirements (we'll cross that bridge if we come
to it).
7. References
7.1. Normative References
[DTLS] Rescorla et al, E., "Datagram Transport Layer Security",
June 2004.
[LWAPP] Calhoun et al, P., "Light Weight Access Point Protocol",
June 2005, <http://www.ietf.org>.
[TLS-PSK] Eronen et al, P., "Pre-Shared Key Ciphersuites for
Transport Layer Security (TLS)", June 2005.
7.2. Informative References
[CAPWAP-EVAL]
Lohrer et al, D., "Evaluation of Candidate CAPWAP
Protocols", August 2005, <http://www.ietf.org>.
[DTLS-DESIGN]
Modadugu et al, N., "The Design and Implementation of
Kelly & Rescorla Expires June 15, 2006 [Page 11]
Internet-Draft Securing LWAPP with DTLS December 2005
Datagram TLS", Feb 2004.
[LWAPP-SEC]
Clancy, C., "Security Review of the Light Weight Access
Point Protocol", May 2005.
[TLS11] Dierks et al, T., "The TLS Protocol Version 1.1",
June 2005.
Kelly & Rescorla Expires June 15, 2006 [Page 12]
Internet-Draft Securing LWAPP with DTLS December 2005
Authors' Addresses
Scott G. Kelly
Talari Networks
150 W. Iowa Ave Ste 208
Sunnyvale, CA 94086
US
Email: scott@hyperthought.com
Eric Rescorla
Network Resonance
2483 El Camino Real, #212
Palo Alto, CA 94303
US
Email: ekr@networkresonance.com
Kelly & Rescorla Expires June 15, 2006 [Page 13]
Internet-Draft Securing LWAPP with DTLS December 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Kelly & Rescorla Expires June 15, 2006 [Page 14]